[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN109983745A - Improve the security system and method for safety alarm response and the response time reconciled using automatic robot's program with natural language interface - Google Patents

Improve the security system and method for safety alarm response and the response time reconciled using automatic robot's program with natural language interface Download PDF

Info

Publication number
CN109983745A
CN109983745A CN201780071008.9A CN201780071008A CN109983745A CN 109983745 A CN109983745 A CN 109983745A CN 201780071008 A CN201780071008 A CN 201780071008A CN 109983745 A CN109983745 A CN 109983745A
Authority
CN
China
Prior art keywords
response
intention
natural language
movement
machine people
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
CN201780071008.9A
Other languages
Chinese (zh)
Inventor
R·S·S·库马尔
B·J·史密斯
A·W·威克
D·L·玛瑟
D·C·拉德
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Microsoft Technology Licensing LLC
Original Assignee
Microsoft Technology Licensing LLC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Microsoft Technology Licensing LLC filed Critical Microsoft Technology Licensing LLC
Publication of CN109983745A publication Critical patent/CN109983745A/en
Withdrawn legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/004Artificial life, i.e. computing arrangements simulating life
    • G06N3/006Artificial life, i.e. computing arrangements simulating life based on simulated virtual individual or collective life forms, e.g. social simulations or particle swarm optimisation [PSO]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/24Querying
    • G06F16/245Query processing
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F40/00Handling natural language data
    • G06F40/20Natural language analysis
    • G06F40/205Parsing
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F40/00Handling natural language data
    • G06F40/30Semantic analysis
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N20/00Machine learning
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N7/00Computing arrangements based on specific mathematical models
    • G06N7/01Probabilistic graphical models, e.g. probabilistic networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Computing Systems (AREA)
  • Artificial Intelligence (AREA)
  • Computational Linguistics (AREA)
  • Data Mining & Analysis (AREA)
  • Computer Hardware Design (AREA)
  • General Health & Medical Sciences (AREA)
  • Mathematical Physics (AREA)
  • Evolutionary Computation (AREA)
  • Health & Medical Sciences (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Audiology, Speech & Language Pathology (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Databases & Information Systems (AREA)
  • Medical Informatics (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Biomedical Technology (AREA)
  • Biophysics (AREA)
  • Molecular Biology (AREA)
  • Algebra (AREA)
  • Probability & Statistics with Applications (AREA)
  • Pure & Applied Mathematics (AREA)
  • Mathematical Analysis (AREA)
  • Mathematical Optimization (AREA)
  • Computational Mathematics (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

It is a kind of to automated to respond to improve the computing system of the response time of diagnosis safety alarm include processor and memory for generating.Application memory executes in memory and by processor.The application includes the instruction for following operation: receiving text phrases relevant to safety alarm;One in multiple intentions corresponding with text phrases is selected to be intended to using the natural language interface of same natural language model;And it is intended to one be mapped in multiple movements movement for selected.Each movement in multiple movements includes at least one of steady-error coefficient, dynamic response and task.The application includes the instruction for sending response based at least one of steady-error coefficient, dynamic response and task.

Description

Improve safety alarm using automatic robot's program with natural language interface to ring It should be with the security system and method for the response time of conciliation
Technical field
This disclosure relates to computer system and method, and relate more specifically to using with the automatic of natural language interface The security system and method for the response time that robot program responds and reconciles to improve safety alarm.
Background technique
Background description provided herein is the context in order to which the disclosure is generally presented.In the background technique part In terms of may not having other qualifications as the description of the prior art in the range of the work of description and when submitting, at present Both indefinite or be not recognized as the disclosure with implying that the prior art of work of the inventor listed.
Computer network often is attempted to destroy, be exposed, being changed, being disabled, stolen assets or obtain the unauthorized to assets Access carries out the unwarranted hacker attack used to assets.Certain computer networks use one group of rule or engineering It practises to detect and threaten to identify abnormal movement and generate safety alarm.Safety alarm will be forwarded to one or more safety point Analysis personnel are for further investigating and diagnosing.
Since there are various attacks strategies, it is thus possible to be difficult to identify safety alarm to be true or wrong report.It should be into One step, which is looked into, really to threaten and is upgraded, while closing wrong report as early as possible.For example, refusal service (DOS) attack attempts to make User is not available the resources such as network server.Brute force attack trial is guessed corresponding with user name using trial-and-error method Password, to obtain the access to computer network.Attack based on browser is for the terminal user for browsing internet. Attack based on browser may encourage terminal user download unintentionally the false software upgrading that disguises oneself as, e-mail attachment or The Malware of application.
Security socket layer (SSL) attack attempts to intercept the data sent by encryption connection.Botnet attack uses The one group of computer being held as a hostage remotely controlled by one or more malicious attackers.Backdoor attack bypasses normal verification process To allow arbitrarily to remotely access.Back door can be present in software by design, to be enabled by other programs, or be passed through Change existing program to be created.
Group rule or machine learning algorithm make faulty detection conjecture.In other words, a large amount of safety alarm is all Wrong report.Safety analysis personnel must check all safety alarms manually.When receiving safety alarm, safety analysis personnel are usual Visualization, bar chart, digraph etc. can be checked on the dash panel.Safety analysis personnel collect contextual information and by its It is attached to safety alarm.It is true that safety analysis personnel, which write inquiry and execute basic reason analysis to assess safety alarm, Or it reports by mistake.
Safety alarm is wrong report in many cases,.Nevertheless, the response of step that safety analysis personnel execute consumes very much When.Tissue waste substantial contribution will lead to the investigation of wrong report safety alarm.Other than the time and efforts of waste, more seriously Consequence be that wrong report can be such that safety analysis Personnel Resources deviate from true safety alarm is pursued.
Summary of the invention
It is a kind of to automated to respond to improve the computing system of the response time of diagnosis safety alarm include processor for generating And memory.Application memory executes in memory and by processor.The application includes the instruction for following operation: being received Text phrases relevant to safety alarm;It is opposite with text phrases to select using the natural language interface of same natural language model One in multiple intentions answered;And by selected one for being intended to be mapped in multiple movements.It is every in multiple movements A movement includes at least one of steady-error coefficient, dynamic response and task.The application includes for being based on steady-error coefficient, dynamic Response and at least one of task send the instruction of response.
Among other features, using from a reception text phrases in e-mail applications or chat application.Using making Response is sent with e-mail applications or chat application.Natural language model be configurable to generate text phrases respectively with it is multiple One or more in intention is intended to corresponding one or more probability;Select in multiple intentions with the maximum probability in probability A corresponding intention is used as selected intention;The probability of selected intention is compared with predetermined threshold;If The probability of selected intention is greater than predetermined threshold, then exports selected intention;If the probability of selected intention is less than Or be equal to predetermined threshold, then selected intention is not exported.
Among other features, movement includes task, and application includes the instruction for executing task, including for following The instruction of operation: inquiry is generated based on text phrases;Send to security server includes the request inquired;And it wraps in the response Include the result of the inquiry from security server.
Among other features, movement includes task, and application includes the instruction for executing task, including for following The instruction of operation: inquiry is generated based on text phrases;It include the request of inquiry to threatening information service device to send;And it is responding In include from threaten information service device inquiry result.
Among other features, movement includes opening dual factor anthentication, and application includes for being based on selected intention Come open remote computer dual factor anthentication instruction.
Among other features, movement includes forwarding apocrypha or the unified resource chain suspicious to file to remote server Meet one in (URL).Using including for being forwarded in apocrypha or suspicious uniform resource link (URL) to remote server One instruction.
Among other features, using include for from remote server receive instruction apocrypha or suspicious URL link in One whether safety corresponding instruction and for indicating that one in apocrypha or suspicious URL link is in the response No safe instruction.
Among other features, selected to be intended to correspond to the request of closed safe alarm due to wrong report, using including For sending the instruction of code to cellular phone, and application includes for the closed safe alarm in the case where receiving code Instruction.
Among other features, natural language interface creates nature language in response to using the training of text phrases and intention pair Say model.
It is a kind of to automated to respond to improve the method for the response time of diagnosis safety alarm include: in secure machine for generating Text phrases relevant to safety alarm are received from one in e-mail applications and chat application at people's program servers;It rings Ying Yu receives text phrases, executed using the natural language interface of secure machine people's program servers natural language model with Select one in multiple intentions corresponding with text phrases as selected intention;And in response to selected intention Mark, be intended to be mapped in multiple movements one for selected using secure machine people program servers.Multiple movements In each movement include at least one of steady-error coefficient, dynamic response and task.This method includes answering via e-mail Response is sent with one of multiple movements are based on using secure machine people program servers with one in chat application.
Among other features, natural language model is executed using the natural language interface of secure machine people's program servers It further include generating text phrases one or more probability corresponding with the one or more intention in multiple intentions respectively;Selection An intention corresponding with the maximum probability in probability is used as selected intention in multiple intentions;By selected intention Probability is compared with predetermined threshold;If the probability of selected intention is greater than predetermined threshold, selected intention is exported; If the probability of selected intention is less than or equal to predetermined threshold, selected intention is not exported.
Among other features, one of multiple movements include task, and this method further includes using secure machine people's program Server is based on text phrases and generates inquiry;Being sent using secure machine people program servers to security server includes inquiry Request;It and in the response include the result of the inquiry from security server.One of multiple movements include task, and the party Method further includes being based on text phrases using secure machine people's program servers to generate inquiry;Use secure machine people's program servers It include the request of inquiry to threatening information service device to send;It and in the response include from the inquiry for threatening information service device As a result.
Among other features, this method includes being opened using secure machine people program servers in response to selected intention Open dual factor anthentication.This method further includes forwarding apocrypha or can to remote server using secure machine people program servers One in doubtful uniform resource link (URL).
Among other features, this method be included at secure machine people's program servers from remote server receive instruction can Doubt one in file or suspicious URL link whether An Quan response.Response instruction apocrypha or suspicious URL link first is that No safety.
Among other features, it is intended to correspond to due to wrong report and when the request of closed safe alarm when selected, the party Method includes sending code, and if secure machine people's procedure service via cellular phone using secure machine people program servers Device receives code, then closed safe alarm.This method includes creating in response to the training for using text phrases and being intended to pair Natural language model.
It is a kind of to automated to respond to improve the computing system of the response time of diagnosis safety alarm include processor for generating And memory.Using being stored in memory and executed by processor.The application includes the instruction for following operation: for At least one of e-mail applications or chat application provide interface;It is short via interface text relevant to safety alarm Language;If text phrases probability corresponding with selected intention is greater than predetermined probability, using with natural language model Natural language interface select one in multiple intentions corresponding with text phrases;And selected intention is mapped To one in multiple movements.Each movement in multiple movements includes at least one in steady-error coefficient, dynamic response and task It is a.Using including instruction for following operation: using interface based at least one of steady-error coefficient, dynamic response and task Send response;Text phrases, which are based on, in response to task generates inquiry;To security server and threaten in information database at least It includes the request inquired that one, which sends,;It and in the response include from security server and threatening in information database at least The result of one inquiry.
According to specific embodiment, claims and drawing, the other application field of the disclosure be will become apparent.In detail The purpose that description and specific example are merely to illustrate, it is no intended to limit the scope of the present disclosure.
Detailed description of the invention
It for improve safety alarm response and the response time reconciled includes having nature language that Fig. 1, which is according to the disclosure, Say the exemplary functional block diagram of the system of automatic robot's program of interface.
Fig. 2 is the exemplary functional block diagram according to secure machine people's program servers of the disclosure.
Fig. 3 is the exemplary functional block diagram for showing the operation of secure machine people's program servers;
Fig. 4 is the exemplary functional block diagram according to the analytical calculation machine of the disclosure.
Fig. 5 is shown according to the disclosure for user version phrase to be mapped to intention and intention is mapped to movement The example of method.
Fig. 6 shows the example of the method for training natural language interface according to the disclosure.
Fig. 7 is shown according to the disclosure for that will be intended to be mapped to the example of the method for movement.
Fig. 8 is shown according to the text phrases of the disclosure to the example mappings being intended to.
Fig. 9 shows the example of the method for executing acquisition task according to the disclosure.
Figure 10 shows the example of the method for executing bombing mission according to the disclosure.
Figure 11 shows the dialogue between safety analysis personnel and secure machine people's program servers according to the disclosure Example.
In the accompanying drawings, appended drawing reference may be reused to identify similar and/or identical element.
Specific embodiment
A kind of automated system or robot with natural language interface is provided according to the disclosed systems and methods Program provides help to safety analysis personnel when in response to safety alarm.Safety alarm can be based on by security server One group of rule or machine learning generate, or can in response to abnormal movement, to the reception of apocrypha or URL link or with Any other mode and be generated manually.Safety alarm can be related to the alarm generated from all safe floors, including network, answer With, host and operating system level.System and method described herein are improved using conversational assorting process for determining Safety alarm is true or wrong report response time.
Secure machine people program analyzed using natural language interface the text phrases submitted by safety analysis personnel and Determine the intention of safety analysis personnel.It is intended to if can be determined with sufficiently high confidence level from text phrases, secure machine People's program by be intended to be mapped to may include steady-error coefficient, dynamic response and one or more task movement.Some tasks can It can relate to generate inquiry, send a query to the data storage based on safety (such as by network security server in local Rank management or by threat information service device global administration data storage), and by the sound including collected data Safety analysis personnel should be returned to.Other tasks may relate to process performing analysis or ignite (detonate) potential malice text Part and uniform resource link (URL) to file.There are also other tasks may relate to when suspicious activity occurs for user or at The user of group enables the certification of higher level, such as dual factor anthentication.Therefore, safety analysis personnel are without monitoring device of taking time Plate and the inquiry for writing complexity manually.In some instances, as a result include threaten advanced summary, composite signal and/or on Context data.
Referring now to Figure 1, system 50 improves safety alarm using automatic robot's program with natural language interface Response and the response time reconciled.System 50 passes through such as local area network, wide area network (such as internet) or other distributed communications System distributed communication system 52 sends and receives data.One or more analytical calculation machine 54-1,54-2 ..., 54-N (being referred to as safety analysis computer 54) is via distributed communication system 52 and by chat or 58 trustship of e-mail server Chat or e-mail applications communicated with secure machine people program servers 60.In some instances, Email or chat Using includingMicrosoftOr other suitable electronics postals Part or chat application.In some instances, system 50 requires input code to close the safety alarm of wrong report (to prevent safe police The hasty of report is closed).In some instances, as will be further described below, verification process includes to such as safety analysis people The cellular phones 56-1,56-2 such as smart phone of member ..., 56-N (being referred to as cellular phone 56) send code.Safety analysis people Code is sent secure machine people program servers 60 by member, and if code is correct, safety alarm is closed.
As will be further described below, secure machine people program servers 60 allow safety analysis personnel or other users Natural language dialogue is participated in during the investigation of the safety alarm occurred in a network environment.In some cases, secure machine people Program servers 60 include attempting text phrases (being generated by safety analysis personnel or other users) being mapped to multiple intentions One natural language processing application or interface.If text phrases reflecting to one of intention can be completed with sufficiently high confidence level It penetrates, then selected intention is mapped to movement, executes movement and generates response by secure machine people program servers 60.
In some instances, movement may include generating steady-error coefficient, generate dynamic response, and/or executing task.More Body, secure machine people program servers 60 complete the movement that dynamic response or required by task are wanted, and generate via electronics postal Part or chat server 58 are output to the response of safety analysis computer 54.Safety analysis personnel and secure machine people's procedure service Device 64 can repeatedly be exchanged in safety alarm by further investigation, upgrading or before closing, because this is wrong report.
In some cases, it includes one or more requests inquired that secure machine people program servers 60, which generate, and Forward requests to network security server 64.In some instances, network security server 64 using password and/or other recognize Card method and network file access strategy access to control network.In some instances, network security server 64 is to local network Network, which executes, threatens monitoring.For example, network security server 64 can monitor the Yin Te of the grouping sent and received by local network FidonetFido (IP) header data is with determination: type, the equipment of the position, the equipment for being used to log in that are carrying out login attempt Previous login attempt, previous login attempt and/or other data to account or entity, to help to identify rogue activity And/or generate safety alarm.In some instances, the analysis of 64 usage behavior of network security server or one group of rule are disliked to identify Meaning activity.In some instances, the attack that network security server 64 is also received or is able to access that and occurs on other networks Relevant data and/or the remediation policy for having been used to specific file or malware type.In some instances, network security Server 64 can be usedSecurity centre or other suitable security servers are realized.Net Network security server 64 can store data in local data base 66, and can be used local data base 66 come reply with Malware and remedy relevant inquiry.
For example, network security server 64 can be communicated with information service device 68 is threatened, information service device 68 is threatened to provide To the access of the following terms: the relevant details of the attack occurred on other non-local networks, associated with rogue activity IP address, malicious file, malice URL link etc..Alternatively, network security server 64 can be generated and take to threat information It includes one or more requests inquired that business device 68, which is sent, and/or can receive the data pushed from threat information service device 68. The inquiry can IP address based on login attempt, carry out logic trial computer identity, apocrypha or URL link or Person's other information.Threaten information service device 68 may include for stored in response to inquiry with Malware, malicious IP addresses, The database 70 of the relevant data such as remedial measure threatens information service device 68 to 64 forwarding information of network security server, net Network security server 64 to 60 transmitted response of secure machine people program servers (or response can be sent straight to secure machine People's program servers 60).In other examples, secure machine people program servers 60 can be directly to threat information service device 68 Send inquiry.
Secure machine people program servers 60, which can be sent, is added by safety analysis personnel and is sent to explosion service The apocrypha of device 80 or suspicious uniform resource locations (URL) link (being connected to file).Explosion server 80 may include (or it is connected to another server 84 comprising) one or more processors 85, one or more virtual machines (VM) 86 and/or packet Include the memory 88 that behavioural analysis applies 91.In some instances, behavioural analysis is analyzed using 91 using machine learning suspicious File or suspicious URL link, to determine apocrypha or URL link is malice or safe.Once making a determination, explode Server 80 just sends message to secure machine people program servers 60, that is, message is malice or safe.Secure machine People's program servers 60 send message to safety analysis computer 54 or otherwise notify safety analysis computer 54.If File or URL link are dangerous, then secure machine people program servers 60 indicate to the user that file or URL link it is dangerous and Indicate that user deletes file or URL link.
After completing the dialogue with secure machine people program servers 60, safety analysis personnel can determine safety alarm Whether additional visits are needed.If necessary to additional visits, safety analysis personnel can upgrade safety alarm.Alternatively, if peace Complete analysis personnel determine that safety alarm is wrong report, then safety analysis personnel can terminate safety alarm.
As discussed above, it is desired to which safety analysis personnel handle a large amount of safety alarms in a short time.It is not intended in order to prevent or light The closed safe alarm of rate ground, system 50 can execute code confirmation process.In some instances, secure machine people program servers 60 send code to safety analysis personnel.In some instances, secure machine people program servers 60 will via cellular system 90 Code is sent to the cellular phone 56 of safety analysis personnel.In some instances, code includes being sent out using short message service (SMS) The text sent.Safety analysis personnel must input correct code in Email or chat window could closed safe police Report.
Referring now to Figure 2, showing the simplification example of secure machine people program servers 60.Secure machine people's procedure service Device 60 generally includes one or more processors 104.Secure machine people program servers 60 further include memory 112, such as easily The property lost or nonvolatile memory, cache or other kinds of memory.Secure machine people program servers 60 further include Mass-memory unit 130, such as flash memory, hard disk drive (HDD) or other mass-memory units.
The processor 104 of secure machine people program servers 60 executes operating system 114 and one or more application 118. It in some instances, include that Email or chat application, secure machine people's program apply 121, natural language processing using 118 Interface 122 and authentication application 123.In some instances, secure machine people program is used using 121Bot Framework is realized, but can be used other robot program application.In some instances, natural language processing interface 122 generate natural language model 125 based on the training of known text phrase and intention pair is used.In some instances, natural Language Processing interface 122 includesApplication protocol interface (API), but other can be used certainly Right Language Processing interface or engine.In some instances, secure machine people program using 121 integrated other applications 120,122 and/ Or one or more of 123.
Secure machine people program servers 60 further include establishing communication channel on distributed communication system and/or network 52 Wireline interface (such as Ethernet interface) and/or wireless interface (such as Wi-Fi, Bluetooth, near-field communication (NFC) or its His wireless interface (common ID at 120)).Secure machine people program servers 60 include display subsystem 124, show subsystem System 124 includes display 126.Secure machine people program servers 60 include mass storage 130, such as hard disk drive or Other mass storages.
Referring now to Figure 3, secure machine people's program using 121 via e-mail or chat server 58 is from Email Or chat application receives text phrases.Using known text phrases and be intended to come train natural language processing interface 122 with Generate natural language model.Natural language processing interface 122 determined using natural language model input text phrases whether with Housebroken one or more intentions are sufficiently related.
In some instances, natural language processing interface 122 generate text phrases respectively be intended to one or more of Corresponding one or more probability.If probability is greater than predetermined threshold, the selection of natural language processing interface is intended to have most The intention of high probability is as selected intention.Natural language processing interface 122 is by selected intention (if applicable) Secure machine people's program is output to using 121.If the probability being not intended to is greater than predetermined threshold, natural language processing interface 122 output defaults are intended to (" not having " such as).
Selected intention is mapped to movement using 121 by secure machine people's program.Movement may include steady-error coefficient, move State response and/or task.On the various internet resources of some mission requirements secure machine people program application access, Local or Remote Context data library 127, such as with network security server 64, threaten the associated database of information service device 68 and/or other Database.
Referring now to Figure 4, showing the simplification example of safety analysis computer 54.Safety analysis computer 54 generally includes One or more processors 204 and input equipment 208, keyboard, touch tablet, mouse etc..Safety analysis computer 54 also wraps Include memory 212, such as volatibility or nonvolatile memory, cache or other kinds of memory.Safety analysis meter Calculation machine 54 further includes mass storage 230, such as flash memory, hard disk drive (HDD) or other mass storages.
The processor 204 of safety analysis computer 54 executes operating system 214 and one or more application 218.Some It include browser application 219 and one or more other applications 221, such as Email or chat application using 218 in example Or interface.In some instances, Email or chat application are accessed using browser, and/or use individual electronics postal Part or chat application or interface.In some instances, Email or chat application include MicrosoftOr other suitable Emails or chat application.
Safety analysis computer 54 further include the wireline interface for the communication channel established on distributed communication system 52 (such as Ethernet interface) and/or wireless interface (such as Wi-Fi, Bluetooth, near-field communication (NFC) or other wireless interfaces ( Common ID at 220)).Safety analysis computer 54 includes display subsystem 224, and display subsystem 224 includes display 226. Safety analysis computer 54 includes mass-storage system 230, such as hard disk drive or other memories.
It is used to use by what secure machine people program servers 60 executed according to the disclosure referring now to Figure 5, showing Family text phrases, which are mapped to, to be intended to and will be intended to be mapped to the method 240 of movement.At 242, method determines whether in electronics postal New user version phrase is received in part or chat application for the processing of secure machine people program servers 60.
At 244, this method analyzes text phrases using natural language processing.At 246, this method determines that text is short Whether language is substantially correspond to one in intention.If 246 be vacation, this method sends request additional information or provides help Universal information, and return to 242.If 246 be that very, at 248, selected intention is mapped to movement by this method. At 250, this method executes movement.In some instances, which includes at least one of the following: using steady-error coefficient or Dynamic response comes in response to safety analysis personnel or other users, and/or executes task.
Referring now to Figure 6, showing the method 257 for generating natural language model for training natural language interface.? At 272, multiple text phrases and intention pair are inputted to natural language interface.At 274, text of the natural language interface based on input This phrase and it is intended to creating natural language model.Then, when text phrases are input into natural language interface, natural language Say that model identification text phrases can be with corresponding 0,1 or more intention and text phrases and specific intended Corresponding probability.In some instances, if the probability being intended to is greater than predetermined threshold, natural language interface selection input text Intention in the intention of this phrase with maximum probability is as selected intention.In some instances, predetermined threshold is 0.4, But other threshold values can be used.For example, input text phrases can correspond to first intention (20% probability), second intention (18% probability) and third are intended to (42% probability).Natural language interface selects third to be intended to, because it has highest general Rate and probability are more than probability threshold value.
Referring now to Figure 7, showing the method 300 for text phrases to be mapped to intention.When receiving text at 310 When this phrase, text phrases are input in natural language model by this method at 314.Natural language model generates at 318 Text phrases probability corresponding with one or more intentions.At 322, secure machine people's program application identities have highest general The intention of rate, and determine whether the probability of selected intention is greater than predetermined probability threshold value PTH.If 322 be true, safety Robot program applies selects the intention as selected intention at 326.If 322 be false, secure machine people's program It applies and carries out response using default intention (for example, " not having ") at 330.
Referring now to Figure 8, once having selected to be intended to by natural language model, secure machine people program servers just will meaning Figure is mapped to corresponding movement.Although, can be with present disclose provides the particular example of steady-error coefficient, dynamic response and task Use other steady-error coefficients, dynamic response and task.It is shown in Fig. 8 to indicate the example mappings being intended to movement.In fig. 8 Example in, the example of steady-error coefficient includes:
In fig. 8, the example of dynamic response includes:
In fig. 8 it is shown that the example of task.Task may include acquisition task and bombing mission.Acquisition task includes Attack description, conservation suggestion, attack sensibility and attack thermal map.These tasks can be by generating request and to security service Device and/or threat information database send request to execute.Secure machine people program servers 60 can be to Network Security Service Device 64, which is sent, requests so that (such as internet) carries out the visual of attack propagation in local network and/or in more broad network Change.Similarly, secure machine people program servers 60 can to network security server 64 send for user organization chart or The request of the previous log ins position of user.Secure machine people program servers 60 can be inquired and be sent it to by generating There is provided whois.net, whois.icann.org etc. is one or more domains of whose (who-is) information to pass through IP address It is whose (who-is) information to obtain.Explosion server 80 can be used also safely to divide in secure machine people program servers 60 Apocrypha or the URL link to apocrypha are ignited in analysis.
Referring now to Figure 9, showing the method 350 for executing " acquisition " task.At 354, this method determines movement It whether include " acquisition " task.If 354 be it is true, at 358, this method request to create and turn to network security server Hair request.In some instances, this method is based on text phrases and generates inquiry, and to network security server or threatens information Server forwarding inquiries.At 362, this method is from network security server or information service device is threatened to receive response, and will Response is transmitted to user.The example of " acquisition " task include attack description, conservation suggestion, attack sensibility, previous log ins position, The visualization and attack thermal map that the organization chart of user, attack are propagated.In some instances, as described above, security server generates Request to information service device is threatened.
Referring now to Figure 10, showing according to the disclosure for executing the method 400 of " explosion " task.It, should at 404 Method determines whether movement includes " ignition " task.If 404 be that very, this method takes in 410 requests to create and to explosion Business device forwarding request.In some instances, which includes from the received additional suspicious text of safety analysis personnel or another source Part or suspicious URL link to file.At 414, this method receives response from explosion server.At 416, this method is determined It opens apocrypha or whether the suspicious URL link of click is safe.If 416 are very, this method indicates to the user that file 422 Or URL link is safe.If 416 be vacation, this method indicates to the user that file 426 or URL link is unsafe.
Referring now to Figure 11, showing the natural language pair between safety analysis personnel and secure machine people's program servers The example of words.It is appreciated that secure machine people's program servers, which provide to respond and execute, to be allowed to come with the improved response time Safety alarm is solved to reduce the task of cost.
The description of front is substantially merely illustrative, and is not intended to the limitation disclosure, its application or purposes.The disclosure Introduction may be realized in various forms extensively.Therefore, although the disclosure includes particular example, the true scope of the disclosure is not It should be so limited, because other modifications will become apparent when studying attached drawing, specification and appended.It should Understand, the one or more steps in method can execute in a different order (or simultaneously), the principle without changing the disclosure. In addition, although each embodiment to be described as to have certain features above, what any embodiment about the disclosure described Any one or more of those features can realize and/or in combination in the feature of any other embodiments, even if The combination is not explicitly described.In other words, described embodiment does not exclude each other, and one or more embodiments are each other Arrangement still within the scope of this disclosure.
Space and functional relationship (for example, between module, circuit element, semiconductor layer etc.) between element use various arts Language describes, including " connection ", " engagement ", " coupling ", " adjacent ", " next ", " on ", " top ", " lower section " and " set It sets ".Unless explicitly described as " direct ", otherwise when describing the relationship between the first and second elements in disclosure above When, which can be the direct relation that other neutral elements are wherein not present between the first and second elements, but can also be with It is the indirect relation that wherein there are (space or functionally) one or more neutral elements between the first and second elements.Such as this Used herein, at least one of text phrases A, B and C should be interpreted the logic for indicating to use nonexcludability logic OR (A OR B OR C), and be not construed as indicating " at least one of at least one of A, B and C at least One ".
In the accompanying drawings, arrow direction indicated by arrow usually indicate interested information flow in diagram (such as data or Instruction).For example, when the information that elements A and element B exchange various information but be transferred to element B from elements A is related to diagram When, arrow can be directed toward element B from elements A.This unidirectional arrow is not offered as no other information and is transferred to element from element B A.In addition, element B can send the request or reception pair to information to elements A for the information for being sent to element B from elements A The confirmation of information.
Term application as used above or code may include software, firmware and/or microcode, and may refer to journey Sequence, routine, function, class, data structure and/or object.Term memory or memory circuit are term computer-readable mediums Subset.Term computer-readable medium used herein does not include the transient state electric signal or electromagnetic signal for propagating through medium (such as on carrier wave);Therefore, term computer-readable medium is considered tangible and non-transient.It is non-transient tangible The non-limiting example of computer-readable medium is that (such as flash memory circuit, erasable programmable are only for Nonvolatile memory circuit Read memory circuit or mask ROM circuit), volatile memory circuit (such as static random access memorizer circuit Or dynamic RAM circuit), magnetic storage medium (such as analog or digital tape or hard disk drive) and optical storage Medium (such as CD, DVD or Blu-ray Disc).
In this application, the device element for being described as having particular community or execution specific operation is specifically configured to have There are those particular communities and executes those specific operations.Specifically, the description of the element for executing movement device is indicated The element is configured as executing movement.The configuration of element may include the programming to element, such as by associated with element Non-transient visible computer readable medium on coded command.
Device and method described in this application can realize partly or entirely by special purpose computer, the special purpose computer It is to be created and configuring general purpose computer to execute the one or more specific functions for including in computer program.Above-mentioned function Energy block, flow chart component and other elements are used as software specifications, these software specifications can pass through those of skill in the art or program Member regular works and be converted into computer program.
Computer program includes that the processor being stored at least one non-transient visible computer readable medium can be performed Instruction.Computer program can also include or dependent on the data stored.Computer program may include and special purpose computer Hardware interaction basic input/output (BIOS), interacted with the particular device of special purpose computer device driver, One or more operating systems, user's application, background service, background application etc..
Computer program may include: (i) descriptive text to be parsed, such as JavaScript object representation (JSON), hypertext markup language (HTML) or extensible markup language (XML), (ii) assembly code, (iii) by compiler from The destination code that source code generates, (iv) are used for source code for being executed by interpreter, (v) for by instant compiler compiling with The source code etc. of execution.Only as an example, the grammer of various language can be used to write in source code, including C, C++, C#, Objective C、Haskell、Go、SQL、R、Lisp、Fortran、Perl、Pascal、Curl、OCaml、HTML5, Ada, ASP (Active Server Page), PHP, Scala, Eiffel, Smalltalk, Erlang、Ruby、Lua and
The means that no one of element described in claim is intended in the sense that 35U.S.C § 112 (f) add Function element unless enunciating element using text phrases " device being used for ... ", or " is used using text phrases In ... operation " or the claim to a method of " the step of being used for ... " in the case where enunciate element.

Claims (15)

1. a kind of for generating the computing system automated toed respond to improve for diagnosing the response time of safety alarm, comprising:
Processor;
Memory;
The application for being stored in the memory and being executed by the processor, the application include for following operation Instruction:
Receive text phrases relevant to safety alarm;
It is selected using the natural language interface of same natural language model in multiple intentions corresponding with the text phrases One intention;
The movement that the selected intention is mapped in multiple movements, wherein each movement in the multiple movement Including at least one of steady-error coefficient, dynamic response and task;And
Based on described in the steady-error coefficient, the dynamic response and the task at least one send response.
2. computing system according to claim 1, wherein one applied from e-mail applications or chat application It is a to receive the text phrases and wherein described using described in the e-mail applications or chat application transmission Response.
3. computing system according to claim 1, wherein to be configurable to generate the text short for the natural language model Language one or more probability corresponding with the one or more intention in the multiple intention, and the wherein application respectively Including the instruction for following operation:
Select in the multiple intention it is corresponding with the maximum probability in the probability one be intended to as selected intention;
The probability of the selected intention is compared with predetermined threshold;
If the probability of the selected intention is greater than the predetermined threshold, the selected intention is exported;And
If the probability of the selected intention is less than or equal to the predetermined threshold, the selected meaning is not exported Figure.
4. computing system according to claim 1, wherein the movement includes the task, and the wherein application packet The instruction for executing the task is included, including the instruction for following operation:
It is generated and is inquired based on the text phrases;
The request including the inquiry is sent to security server;And
It include the result of the inquiry from the security server in the response.
5. computing system according to claim 1, wherein the movement includes the task, and the wherein application packet The instruction for executing the task is included, including the instruction for following operation:
It is generated and is inquired based on the text phrases;
It include the request of the inquiry to threatening information service device to send;And
It include the result from the inquiry for threatening information service device in the response.
6. computing system according to claim 1, wherein the movement includes unlatching dual factor anthentication, and wherein described Using include for based on it is selected it is described intention come open remote computer dual factor anthentication instruction.
7. computing system according to claim 1, wherein the movement include forwarded to remote server apocrypha or To one in the suspicious uniform resource link (URL) of file, and wherein, the application includes for turning to remote server Send out apocrypha or to one instruction in the suspicious uniform resource link (URL) of file.
8. computing system according to claim 7, wherein the application includes for referring to from remote server reception Show in the apocrypha or the suspicious URL link it is one whether An Quan response instruction and for described Indicated in response in the apocrypha or the suspicious URL link it is one whether An Quan instruction.
9. computing system according to claim 1, wherein the selected intention, which corresponds to, closes peace due to wrong report The request of full alarm, the application include the instruction for sending code to cellular phone, and the application include for The instruction of the safety alarm is closed in the case where receiving the code.
10. computing system according to claim 1, wherein the natural language interface is in response to using text phrases and meaning The training of figure pair creates the natural language model.
11. a kind of for generating the method automated toed respond to improve for diagnosing the response time of safety alarm, comprising:
It is received and safety alarm phase at secure machine people's program servers from one in e-mail applications and chat application The text phrases of pass;
In response to receiving the text phrases, executed using the natural language interface of the secure machine people program servers Natural language model, to select one in multiple intentions corresponding with the text phrases to be intended to as selected meaning Figure;
In response to the mark of the selected intention, using the secure machine people program servers by the selected meaning Figure is mapped to a movement in multiple movements, wherein each movement in the multiple movement includes steady-error coefficient, dynamic sound It should be at least one of with task;And
Via one to use the secure machine people program to take in the e-mail applications and the chat application Device be engaged in based on one movement transmission response in the multiple movement.
12. according to the method for claim 11, wherein using the natural language of the secure machine people program servers Speech interface come execute the natural language model further include generate the text phrases respectively with one in the multiple intention Or it is multiple be intended to corresponding one or more probability, and wherein the method also includes:
One corresponding with the maximum probability in the probability is selected in the multiple intention to be intended to as described in selected It is intended to;
The probability of the selected intention is compared with predetermined threshold;
If the probability of the selected intention is greater than the predetermined threshold, the selected intention is exported;With And
If the probability of the selected intention is less than or equal to the predetermined threshold, do not export selected described It is intended to.
13. according to the method for claim 11, wherein one movement in the multiple movement includes the task, And the method also includes:
The text phrases, which are based on, using the secure machine people program servers generates inquiry;
The request including the inquiry is sent to security server using the secure machine people program servers;And
It include the result of the inquiry from the security server in the response.
14. according to the method for claim 11, wherein one movement in the multiple movement includes the task, And the method also includes:
The text phrases, which are based on, using the secure machine people program servers generates inquiry;
The request including the inquiry is sent to threat information service device using the secure machine people program servers;And
It include the result from the inquiry for threatening information service device in the response.
15. according to the method for claim 11, further includes: using the secure machine people program servers in response to selected The intention selected opens dual factor anthentication.
CN201780071008.9A 2016-11-16 2017-11-09 Improve the security system and method for safety alarm response and the response time reconciled using automatic robot's program with natural language interface Withdrawn CN109983745A (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
US15/353,298 US20180137401A1 (en) 2016-11-16 2016-11-16 Security systems and methods using an automated bot with a natural language interface for improving response times for security alert response and mediation
US15/353,298 2016-11-16
PCT/US2017/060731 WO2018093643A1 (en) 2016-11-16 2017-11-09 Security systems and methods using an automated bot with a natural language interface for improving response times for security alert response and mediation

Publications (1)

Publication Number Publication Date
CN109983745A true CN109983745A (en) 2019-07-05

Family

ID=60413298

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201780071008.9A Withdrawn CN109983745A (en) 2016-11-16 2017-11-09 Improve the security system and method for safety alarm response and the response time reconciled using automatic robot's program with natural language interface

Country Status (4)

Country Link
US (1) US20180137401A1 (en)
EP (1) EP3542508A1 (en)
CN (1) CN109983745A (en)
WO (1) WO2018093643A1 (en)

Families Citing this family (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2012060887A1 (en) 2010-11-05 2012-05-10 Mark Cummings Integrated circuit design and operation
US11494395B2 (en) 2017-07-31 2022-11-08 Splunk Inc. Creating dashboards for viewing data in a data storage system based on natural language requests
US10901811B2 (en) * 2017-07-31 2021-01-26 Splunk Inc. Creating alerts associated with a data storage system based on natural language requests
US10536452B2 (en) * 2017-09-15 2020-01-14 Paypal, Inc. Chat bot-based authentication of chat bots
US10546584B2 (en) * 2017-10-29 2020-01-28 International Business Machines Corporation Creating modular conversations using implicit routing
US11544303B1 (en) * 2018-03-23 2023-01-03 Amazon Technologies, Inc. Responding with unresponsive content
US11477667B2 (en) 2018-06-14 2022-10-18 Mark Cummings Using orchestrators for false positive detection and root cause analysis
US10832659B2 (en) 2018-08-31 2020-11-10 International Business Machines Corporation Intent authoring using weak supervision and co-training for automated response systems
US11029926B2 (en) * 2018-11-21 2021-06-08 Kony, Inc. System and method for delivering autonomous advice and guidance
US11636220B2 (en) * 2019-02-01 2023-04-25 Intertrust Technologies Corporation Data management systems and methods
JP7282195B2 (en) * 2019-03-05 2023-05-26 シーメンス インダストリー ソフトウェア インコーポレイテッド Machine learning-based anomaly detection for embedded software applications
US11038913B2 (en) 2019-04-19 2021-06-15 Microsoft Technology Licensing, Llc Providing context associated with a potential security issue for an analyst
US11144727B2 (en) 2019-05-20 2021-10-12 International Business Machines Corporation Evaluation framework for intent authoring processes
US11106875B2 (en) 2019-05-20 2021-08-31 International Business Machines Corporation Evaluation framework for intent authoring processes
US11269599B2 (en) * 2019-07-23 2022-03-08 Cdw Llc Visual programming methods and systems for intent dispatch
US11196686B2 (en) 2019-07-30 2021-12-07 Hewlett Packard Enterprise Development Lp Chatbot context setting using packet capture
US11380306B2 (en) 2019-10-31 2022-07-05 International Business Machines Corporation Iterative intent building utilizing dynamic scheduling of batch utterance expansion methods
US12073186B1 (en) * 2021-09-30 2024-08-27 Jumio Corporation Machine learning report generation

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6624750B1 (en) * 1998-10-06 2003-09-23 Interlogix, Inc. Wireless home fire and security alarm system
US8863284B1 (en) * 2013-10-10 2014-10-14 Kaspersky Lab Zao System and method for determining a security status of potentially malicious files
US20150304254A1 (en) * 2014-04-18 2015-10-22 Ricoh Company, Ltd. Information processing system, information processing apparatus, and storage medium
US20160218933A1 (en) * 2015-01-27 2016-07-28 Sri International Impact analyzer for a computer network

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10250641B2 (en) * 2015-01-27 2019-04-02 Sri International Natural language dialog-based security help agent for network administrator
KR20180108562A (en) * 2015-09-02 2018-10-04 아이덴티포, 인크. Intelligent virtual assistant systems and related methods
US20170133844A1 (en) * 2015-11-06 2017-05-11 Enphase Energy, Inc. Fire detection, automated shutoff and alerts using distributed energy resources and monitoring system
US10771479B2 (en) * 2016-09-26 2020-09-08 Splunk Inc. Configuring modular alert actions and reporting action performance information
US10469665B1 (en) * 2016-11-01 2019-11-05 Amazon Technologies, Inc. Workflow based communications routing

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6624750B1 (en) * 1998-10-06 2003-09-23 Interlogix, Inc. Wireless home fire and security alarm system
US8863284B1 (en) * 2013-10-10 2014-10-14 Kaspersky Lab Zao System and method for determining a security status of potentially malicious files
US20150304254A1 (en) * 2014-04-18 2015-10-22 Ricoh Company, Ltd. Information processing system, information processing apparatus, and storage medium
US20160218933A1 (en) * 2015-01-27 2016-07-28 Sri International Impact analyzer for a computer network

Also Published As

Publication number Publication date
WO2018093643A1 (en) 2018-05-24
US20180137401A1 (en) 2018-05-17
EP3542508A1 (en) 2019-09-25

Similar Documents

Publication Publication Date Title
CN109983745A (en) Improve the security system and method for safety alarm response and the response time reconciled using automatic robot's program with natural language interface
CN112703712B (en) Supervised learning system for identity hazard risk calculation
Heartfield et al. Detecting semantic social engineering attacks with the weakest link: Implementation and empirical evaluation of a human-as-a-security-sensor framework
Weichbroth et al. Mobile security: Threats and best practices
Kareem et al. SQL injection attacks prevention system technology
US9635041B1 (en) Distributed split browser content inspection and analysis
US20190215330A1 (en) Detecting attacks on web applications using server logs
US11425151B2 (en) Client-side attack detection via simulation
US20140380478A1 (en) User centric fraud detection
US11431751B2 (en) Live forensic browsing of URLs
US10855722B1 (en) Deception service for email attacks
CN103679001A (en) Method and device for controlling behaviors of application program in mobile communication terminal
US11973796B2 (en) Dangling domain detection and access mitigation
Bukhari et al. Reducing attack surface corresponding to Type 1 cross-site scripting attacks using secure development life cycle practices
De Faveri et al. Designing adaptive deception strategies
Dhayanidhi Research on IoT threats & implementation of AI/ML to address emerging cybersecurity issues in IoT with cloud computing
Qazi Application Programming Interface (API) Security in Cloud Applications
Zamir Cybersecurity and social media
Moreira et al. Goal-driven deception tactics design
Sharma et al. Categorizing threat types and cyber-assaults over Internet of Things-equipped gadgets
US20240111891A1 (en) Systems and methods for sanitizing sensitive data and preventing data leakage using on-demand artificial intelligence models
AlSalamah Security risk management in online system
US20210266341A1 (en) Automated actions in a security platform
Thorpe et al. Towards a Cyber Aware Chatbot Service
Smith et al. Moving from Risk Factors to Positive Online Behaviors: An integrated behavioral change approach

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WW01 Invention patent application withdrawn after publication
WW01 Invention patent application withdrawn after publication

Application publication date: 20190705